Cybersecurity must enable business, not hinder it

As threat vectors change and digital transformation accelerates, cybersecurity leaders are tasked with providing much more than protection; they also need to foster growth while maintaining trust. Aditya Khullar, Chief Information Security Officer and Data Privacy Officer at Adani Digital Labs, offers sixteen years of strategic experience.

In this candid dialogue, he shares his profession’s priorities for 2025, lessons learned from implementing Zero Trust, along with practical frameworks that are working at the ground level.

What is your top cybersecurity priority for the next 12 months?

Our near-term focus is on expanding our detection and response capabilities. The sophistication of cyber threats is increasing, and traditional perimeter defences are insufficient. We are building out continuous testing processes throughout our digital ecosystem. We’ve also invested heavily in threat intelligence and threat detection capabilities. What is important to us is to reach as close to real-time anomaly detection and response capabilities as possible—essentially transitioning from a reactive state of security posture to a state of predictive security.

What emerging threats or trends are you most concerned about in 2025?

Generative AI is a double-edged sword. In addition to strengthening a defender’s capabilities, it also enables attackers to produce incredibly real emails and phishing materials, deepfakes, and automated tools for exploitation. GenAI-related attacks are rising rapidly. We’re also seeing risks from cloud misconfigurations, often from human error, and application-level vulnerabilities, which are much less likely to be captured by typical scanning tools like the NIST/OWASP framework, which is still the baseline standard where we are at in the industry. These are the risks that are keeping CISOs up at night.

How are you incorporating cybersecurity with your business priorities?

Cybersecurity needs to be part of the organisation and not bolted on. We work hand in hand with business colleagues to integrate security from the outset of a digital transformation initiative, so that innovation occurs securely without unnecessary friction.

That said, compliance is non-negotiable, and governance plays a key role for us, which allows us to meet regulatory expectations without slowing down the velocity of change.

Can you provide an example of a single security best practice or framework that worked well for you?

We implement a federated cybersecurity model successfully. Property and business unit leaders have centralised governance, defining standards and policies, but permit execution of the standards across their organisational areas. This maintains consistency of controls but allows for agility and responsiveness at the local level. Along with this, we have emboldened a sense of ownership at every tier of the organisation where individual teams feel empowered to own the management of their security posture.

What would you recommend to your fellow CISOs to build a culture of cybersecurity throughout the whole organisation?

First, you need to speak the language of the business; a cyber risk is a business risk. If people can understand how a data breach could impact revenue, reputation, or customer trust, people will pay attention.

Secondly, simplify how you communicate—don’t use jargon.

Lastly, build ongoing awareness by engaging them in continuous training, policy refreshers, and simulations. A strong security culture is not driven by tools; it’s driven by empowered people.

How does your organisation manage the risk that third-party vendors bring to the supply chain?

Vendor risk is an extension of enterprise risk and is treated with the same degree of rigour. Each third-party engagement involves ongoing risk assessments, and all of our contracts contain mandated security clauses. However, we do more than ensure compliance. We incorporate vendors into our overarching Governance Framework, Risk, and Compliance (GRC) structure, so there is greater support for collective accountability, visibility of compliance, and the consistent application of security standards throughout the value chain.

What is the organisation’s approach to secure cloud and hybrid infrastructure?

Our approach is based on a secure-by-design methodology. This means the security of the architecture work itself started at the conceptual phase, not bolted on later. In the architecture, we use continuous monitoring and a Zero Trust Access model across our multi-cloud environment.

We are now in a hybrid world where the perimeter is pliable, so context-aware access and real-time monitoring are essential pieces of the puzzle and greatly reduce exposure.

Have you implemented Zero Trust Architecture? What were your learnings from the implementation journey?

Yes, we have implemented. The takeaway, by far, is to start with IAM—it is a foundational block for Zero Trust. If you do not have strong controls on who has access to what, Zero Trust will fail.

Ensuring executive buy-in is important because Zero Trust affects both technology but also workflows. One of the biggest challenges encountered was with older legacy systems that were not built to support granular access controls. We developed a multi-pronged phased implementation and change management plan to help support this.

With privacy regulations like India’s DPDP Act and the GDPR, how will you meet compliance expectations?

We are relying on Generally Accepted Privacy Principles GAPPs) as a strong base to rely on, regardless of jurisdiction. With this framework, we will be able to align globally and work locally. We have built operationally from a privacy-by-design framework, and all new systems/products have gone through the stage of evaluation from a data protection perspective during the design process. We have developed and put in place tools for ongoing audits as well as tools for data lifecycle mapping and readiness for breaches as part of our regulatory assurance programme.

aanchalg@cybermedia.co.in